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AMENDMENTS TO THE CLAIMS 

Please amend the claims as follows. 

1. (Currently Amended) A method of op e rating extending role scope in a directory server 
system comprising: 

obtaining an updated tree structure comprising an extra scope by: 

a) associating an existing role entry in a tree structure with a first user entry in the 
tree structure, wherein a directory server interacts with entries in the tree 
structure, and wherein the existing role entry defines a role and has an associated 
scope in the tree structure based on the existing role entry's location in the tree 
structure according to a first predefined rule, said associating comprising 
attaching the role to the first user entry subject to a first condition comprising a 
role membership condition and the first user entry belonging to the associated 
scope[[;]] a 

b) adding an attribute to the existing role entry having a special attribute name and 
being associated with an attribute value defining [[an]] the extra scope in the tree 
structure for the existing role entry, wherein the attribute value identifies a 
designated location in the tree structure outside the existing role entry's 
associated scope, and further wherein the extra scope is based on the designated 
location according to a second predefined rule[[;]] a and 

c) attaching the role of the existing role entry to a second user entry subject to a 
second condition comprising said role membership condition and the second user 
entry belonging to the extra scope ; and 

performing a role operation associated with the updated tree structure in response to a 
request, wherein the role operation identifies that the second user entry possesses 
the role . 

2. (Previously Presented) The method of claim 1, wherein the existing role entry is a nested role 
entry defining at least one other role. 

3. (Previously Presented) The method of claim 2, wherein the existing role entry has an 
attribute defining the at least one other role. 
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4. (Previously Presented) The method of claim 1, wherein the role membership condition 
comprises a candidate user entry having an attribute designating the role defined by the 
existing role entry. 

5. (Previously Presented) The method of claim 1, wherein the existing role entry has a role 
filter condition, and the role membership condition comprises one or more attributes of a 
candidate user entry meeting the role filter condition. 

6. (Original) The method of claim 5, wherein the existing role entry has an attribute designating 
the role filter condition. 

7. (Cancelled) 

8. (Cancelled) 

9. (Previously Presented) The method of claim 1, wherein the extra scope is defined as a 
subtree of the designated location. 

10. (Previously Presented) The method of claim 1, wherein the first predefined rule comprises 
defining the existing role entry's associated scope as a subtree of a parent of the existing role 
entry in the tree structure. 

11. (Currently Amended) The method of claim 1, further comprising: wherein the request 
comprises 

d) r e sponding to a request of whether a designated user entry has a given role [[by]], 

and wherein performing the role operation comprises : 

dl) identifying a corresponding role entry corresponding to the given role; 

d2) determining whether the designated user entry meets the first condition in 

relation to the corresponding role entry; 
d3) if the designated user entry does not meet the first condition in relation to 

the corresponding role entry, determining whether the corresponding role 

entry has extra role data identifying an extra scope; and 
d4) if the corresponding role entry has extra role data, determining whether 

the designated user entry meets the second condition in relation to the 

corresponding role entry. 
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12. (Currently Amended) The method of claim 1, furth e r comprising: wherein the request 
comprises 

d) r e sponding to a request for any user entries having a given role [[by]] , and 

wherein performing the role operation comprises : 

dl) identifying a corresponding role entry corresponding to the given role; 

d2) scanning the tree to identify any user entries meeting the first condition in 
relation to the corresponding role entry; and 

d3) if the corresponding role entry has extra role data identifying an extra 
scope, scanning the tree to identify any user entries meeting the second 
condition in relation to the corresponding role entry. 

13. (Currently Amended) The method of claim 1, further comprising: wherein the request 
comprises 

d) responding to a request for roles of a given user entry [[by]] , and wherein 

performing the role operation comprises : 
d 1 ) identifying a candidate role entry; 

d2) determining whether the given user entry meets the first condition in 
relation to the candidate role entry; 

d3) if the given user entry does not meet the first condition in relation to the 
candidate role entry and the candidate role entry has extra role data 
identifying an extra scope, determining whether the given user entry 
meets the second condition in relation to the candidate role entry; and 

d4) repeating said dl) through said d3) with other candidate role entries until 
an end condition is met. 

14. (Previously Presented) The method of claim 13, wherein the end condition comprises 
having performed said dl) through said d3) with substantially all the applicable candidate 
role entries. 

15. (Previously Presented) The method of claim 13, wherein the given user entry belongs to a 
subtree of a top suffix of the tree structure, said d2) is performed for each role entry 
belonging to the subtree of said top suffix, and said d3) is performed for each role entry 
belonging to any subtree of any top suffix of the tree structure. 
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16. (Currently Amended) A directory server system comprising: 

a directory server that interacts int e racting with entries in a tree structure, said tree 
structure comprising an existing role entry and a first user entry, wherein the 
existing role entry defines a role and has an associated scope in the tree structure 
based on the existing role entry's location in the tree structure according to a first 
predefined rule; and 

a role mechanism that obtains an updated tree structure comprising an extra scope by: 

capable of attaching the existing role entry's role to the first user entry subject to 
a first condition comprising a role membership condition and the first 
user entry belonging to the associated scope[[;]] a and 
said rol e mechanism furth e r capabl e of attaching the existing role entry's role to a 
second user entry subject to a second condition comprising said role 
membership condition and the second user entry belonging to an extra 
scope identified by extra role data of the existing role entry, wherein the 
extra role data comprise an added attribute having a special attribute name 
and being associated with an attribute value identifying a designated 
location in the tree structure outside of the existing role entry's associated 
scope, and the extra scope is based on the designated location according to 
a second predefined rule^ 
wherein the directory server performs a role operation associated with the updated tree 
structure in response to a request wherein the role operation identifies that the 
second user entry possesses the role . 

17. (Previously Presented) The directory server system of claim 16, wherein the existing role 
entry is a nested role entry defining at least one other role. 

18. (Previously Presented) The directory server system of claim 17, wherein the existing role 
entry has an attribute defining the at least one other role. 

19. (Previously Presented) The directory server system of claim 16, wherein the role 
membership condition comprises a candidate user entry having an attribute designating the 
role defined by the existing role entry. 
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20. (Previously Presented) The directory server system of claim 16, wherein the existing role 
entry has a role filter condition, and the role membership condition comprises one or more 
attributes of a candidate user entry meeting the role filter condition. 

21. (Original) The directory server system of claim 20, wherein the existing role entry has an 
attribute designating the role filter condition. 

22. (Cancelled) 

23. (Cancelled) 

24. (Previously Presented) The directory server system of claim 16, wherein the extra scope is 
defined as a subtree of the designated location. 

25. (Previously Presented) The directory server system of claim 16, wherein the first predefined 
rule comprises defining the existing role entry's associated scope as a subtree of a parent of 
the existing role entry in the tree structure. 

26. (Currently Amended) The directory server system of claim 16, wherein the rol e m e chanism 
is furth e r capabl e of responding to request comprises a request of whether a designated user 
entry has a given role [[by]] , and wherein performing the role operation comprises : 

i) identifying a corresponding role entry corresponding to the given role; 

ii) determining whether the designated user entry meets the first condition in relation 
to the corresponding role entry; 

iii) if the designated user entry does not meet the first condition in relation to the 
corresponding role entry, determining whether the corresponding role entry has 
extra role data defining an extra scope; and 

iv) if the corresponding role entry has extra role data, determining whether the 
designated user entry meets the second condition in relation to the corresponding 
role entry. 

27. (Currently Amended) The directory server system of claim 16, wherein the role m e chanism 
is furth e r capabl e of r e sponding to the request comprises a request for any user entries 
having a given role [[by]] , and wherein performing the role operation comprises : 

i) identifying a corresponding role entry corresponding to the given role; 
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ii) scanning the tree to identify any user entries meeting the first condition in relation 
to the corresponding role entry; and 

iii) if the corresponding role entry has extra data identifying an extra scope, scanning 
the tree to identify any user entries meeting the second condition in relation to the 
corresponding role entry. 

28. (Currently Amended) The directory server system of claim 16, wherein the rol e m e chanism 
is furth e r capabl e of r e sponding to request comprises a request for roles of a given user entry 
f [bvH , and wherein performing the role operation comprises : 

i) identifying a candidate role entry; 

ii) determining whether the given user entry meets the first condition in relation to 
the candidate role entry; 

iii) if the given user entry does not meet the first condition in relation to the candidate 
role entry and the determined role entry has extra data identifying an extra scope, 
determining whether the given user entry meets the second condition in relation 
to the candidate role entry; and 

iv) repeating said i) through said iii) with other candidate roles entries until an end 
condition is met. 

29. (Previously Presented) The directory server system of claim 28, wherein the end condition 
comprises having performed said i) through said iii) with substantially all the applicable 
candidate role entries. 

30. (Previously Presented) The directory server system of claim 28, wherein the given user 
entry belongs to a subtree of a top suffix of the tree structure, said ii) is performed for each 
role entry belonging to the subtree of said top suffix, and said iii) is performed for each role 
entry belonging to any subtree of any top suffix of the tree structure. 

31. (Currently Amended) A computer readable storage medium having stor e d th e r e on 
instructions comprising software code stored thereon for: 

obtaining an updated tree structure comprising an extra scope by: 

a) associating an existing role entry in a tree structure with a first user entry in the 
tree structure, wherein a directory server interacts with entries in the tree 
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structure, and wherein the existing role entry defines a role and has an associated 
scope in the tree structure based on the existing role entry's location in the tree 
structure according to a first predefined rule, said associating comprising 
attaching the role to the first user entry subject to a first condition comprising a 
role membership condition and the first user entry belonging to the associated 
scope[[;]], 

b) adding an attribute to the existing role entry having a special attribute name and 
being associated with an attribute value defining [[an]] the extra scope in the tree 
structure for the existing role entry, wherein the attribute value identifies a 
designated location in the tree structure outside the existing role entry's 
associated scope, and further wherein the extra scope is based on the designated 
location according to a second predefined rule[[;]] a and 

c) attaching the role of the existing role entry to a second user entry subject to a 
second condition comprising said role membership condition and the second user 
entry belonging to the extra scope : and 

performing a role operation associated with the updated tree structure in response to a 
request wherein the role operation identifies that the second user entry possesses 
the role . 

32. (Currently Amended) The computer readable storage medium of claim 31, wherein the 
existing role entry is a nested role entry defining at least one other role. 

33. (Currently Amended) The computer readable storage medium of claim 32, wherein the 
existing role entry has an attribute defining the at least one other role. 

34. (Currently Amended) The computer readable storage medium of claim 31, wherein the role 
membership condition comprises a candidate user entry having an attribute designating the 
role defined by the existing role entry. 

35. (Currently Amended) The computer readable storage medium of claim 31, wherein the 
existing role entry has a role filter condition, and the role membership condition comprises 
one or more attributes of a candidate user entry meeting the role filter condition. 
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36. (Currently Amended) The computer readable storage medium of claim 35, wherein the 
existing role entry has an attribute designating the role filter condition. 

37. (Cancelled) 

38. (Cancelled) 

39. (Currently Amended) The computer readable storage medium of claim 31, wherein the extra 
scope is defined as a subtree of the designated location. 

40. (Currently Amended) The computer readable storage medium of claim 31, wherein the first 
predefined rule comprises defining the existing role entry's associated scope as a subtree of a 
parent of the existing role entry in the tree structure. 

41. (Currently Amended) The computer readable storage medium of claim 31, furth e r 
comprising instructions for: wherein the request comprises 

d) r e sponding to a request of whether a designated user entry has a given role [[by]] a 

and wherein performing the role operation comprises : 

d 1 ) identifying a corresponding role entry corresponding to the given role; 

d2) determining whether the designated user entry meets the first condition in 

relation to the corresponding role entry; 
d3) if the designated user entry does not meet the first condition in relation to 

the corresponding role entry, determining whether the corresponding role 

entry has extra role data identifying an extra scope; and 
d4) if the corresponding role entry has extra role data, determining whether 

the designated user entry meets the second condition in relation to the 

corresponding role entry. 

42. (Currently Amended) The computer readable storage medium of claim 31, furth e r 
comprising instructions for: wherein the request comprises 

d) r e sponding to a request for any user entries having a given role [[by]] 3 and 

wherein performing the role operation comprises : 

d 1 ) identifying a corresponding role entry corresponding to the given role; 
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d2) scanning the tree to identify any user entries meeting the first condition in 
relation to the corresponding role entry; and 

d3) if the corresponding role entry has extra role data identifying an extra 
scope, scanning the tree to identify any user entries meeting the second 
condition in relation to the corresponding role entry. 

43. (Currently Amended) The computer readable storage medium of claim 31, furth e r 
comprising instruction s for: wherein the request comprises 

d) r e sponding to a request for roles of a given user entry [[bv]] . and wherein 

performing the role operation comprises : 
d 1 ) identifying a candidate role entry; 

d2) determining whether the given user entry meets the first condition in 
relation to the candidate role entry; 

d3) if the given user entry does not meet the first condition in relation to the 
candidate role entry and the candidate role entry has extra role data 
identifying an extra scope, determining whether the given user entry 
meets the second condition in relation to the candidate role entry; and 

d4) repeating said dl) through said d3) with other candidate role entries until 
an end condition is met. 

44. (Currently Amended) The computer readable storage medium of claim 43, wherein the end 
condition comprises having performed said dl) through said d3) with substantially all the 
applicable candidate role entries. 

45. (Currently Amended) The computer readable storage medium of claim 43, wherein the 
given user entry belongs to a subtree of a top suffix of the tree structure, said d2) is 
performed for each role entry belonging to the subtree of said top suffix, and said d3) is 
performed for each role entry belonging to any subtree of any top suffix of the tree structure. 
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